char * SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg) { char prompt[255]; secuPWData *pwdata = (secuPWData *)arg; secuPWData pwnull = { PW_NONE, 0 }; secuPWData pwxtrn = { PW_EXTERNAL, "external" }; char *pw; if (pwdata == NULL) pwdata = &pwnull; if (PK11_ProtectedAuthenticationPath(slot)) { pwdata = &pwxtrn; } if (retry && pwdata->source != PW_NONE) { PR_fprintf(PR_STDERR, "Incorrect password/PIN entered.\n"); return NULL; } switch (pwdata->source) { case PW_NONE: sprintf(prompt, "Enter Password or Pin for \"%s\":", PK11_GetTokenName(slot)); return GetPasswordString(NULL, prompt); case PW_FROMFILE: /* Instead of opening and closing the file every time, get the pw * once, then keep it in memory (duh). */ pw = SECU_FilePasswd(slot, retry, pwdata->data); pwdata->source = PW_PLAINTEXT; pwdata->data = PL_strdup(pw); /* it's already been dup'ed */ return pw; case PW_EXTERNAL: sprintf(prompt, "Press Enter, then enter PIN for \"%s\" on external device.\n", PK11_GetTokenName(slot)); pw = GetPasswordString(NULL, prompt); if (pw) { memset(pw, 0, PORT_Strlen(pw)); PORT_Free(pw); } /* Fall Through */ case PW_PLAINTEXT: return PL_strdup(pwdata->data); default: break; } PR_fprintf(PR_STDERR, "Password check failed: No password found.\n"); return NULL; }
static Bool LoadPKCS12(SSL_CTX *ctx, const char *file) { char passbuf[256]; char *pass = NULL; PKCS12 *p12; EVP_PKEY *key = NULL; X509 *cert = NULL; BIO *input; int err_reason; int count = 0; const char *prompt = ASKPASS_PROMPT; /* read PKCS #12 from specified file */ if ((input = BIO_new_file(file, "r")) == NULL){ if (d2i_PKCS12_bio(input, &p12) == NULL) return FALSE; } p12 = d2i_PKCS12_bio(input, NULL); BIO_free(input); if (p12 == NULL) return FALSE; /* get key and cert from PKCS #12 */ for (;;){ if (PKCS12_parse(p12, pass, &key, &cert, NULL)) break; err_reason = ERR_GET_REASON(ERR_peek_error()); if (cert){ X509_free(cert); cert = NULL; } if (key){ EVP_PKEY_free(key); key = NULL; } if (err_reason != PKCS12_R_MAC_VERIFY_FAILURE){ Message("PKCS12_parse failure: %s", GetSSLErrorString()); break; } ERR_clear_error(); if (count >= 1) prompt = ASKPASS_PROMPT_RETRY; if ((pass = GetPasswordString(passbuf, sizeof(passbuf), prompt)) == NULL){ Message("PASSWORD input was canceled\n"); break; } count++; } //OPENSSL_cleanse(passbuf, sizeof(passbuf)); memset(passbuf, 0, sizeof(passbuf)); PKCS12_free(p12); /* set key and cert to SSL_CTX */ if (cert && key){ if (!SSL_CTX_use_certificate_with_check(ctx, cert)){ SSL_Error(_d("SSL_CTX_use_certificate failure:\n %s"), GetSSLErrorString()); return FALSE; } if (!SSL_CTX_use_PrivateKey(ctx, key)){ SSL_Error(_d("SSL_CTX_use_PrivateKey failure:\n %s"), GetSSLErrorString()); return FALSE; } if (!SSL_CTX_check_private_key(ctx)){ SSL_Error(_d("SSL_CTX_check_private_key failure:\n %s\n"), GetSSLErrorString()); return FALSE; } } else{ return FALSE; } return TRUE; }
static Bool LoadEnginePKCS11(SSL_CTX *ctx, ENGINE **e, const char *p11lib, const char *slotstr) { char certid[PKCS11_BUF_SIZE]; char certidbuf[PKCS11_BUF_SIZE]; char pinbuf[PKCS11_BUF_SIZE]; char *pin = NULL; EVP_PKEY *key = NULL; X509 *x509 = NULL; int rc = 0; int i; unsigned int nslots,ncerts; int nslot = 0; PKCS11_CTX *p11ctx; PKCS11_SLOT *slots, *slot; PKCS11_CERT *certs,*cert; pin = GetPasswordString(pinbuf, sizeof(pinbuf), PKCS11_ASKPIN_PROMPT); if (pin == NULL){ Message("PIN input was canceled\n"); return FALSE; } p11ctx = PKCS11_CTX_new(); /* load pkcs #11 module */ rc = PKCS11_CTX_load(p11ctx, p11lib); if (rc) { SSL_Error("loading pkcs11 engine failed: %s\n", ERR_reason_error_string(ERR_get_error())); return FALSE; } /* get information on all slots */ rc = PKCS11_enumerate_slots(p11ctx, &slots, &nslots); if (rc < 0) { SSL_Error("no slots available\n"); return FALSE; } /* get certificate and keyid by PKCS#11 */ if (strcmp("",slotstr)){ nslot = atoi(slotstr); if (nslot < nslots) { slot = (PKCS11_SLOT*)&slots[nslot]; if (!slot || !slot->token) { SSL_Error("no token available\n"); return FALSE; } } else { SSL_Error("no token available\n"); return FALSE; } } else { /* get first slot with a token */ slot = PKCS11_find_token(p11ctx, slots, nslots); if (!slot || !slot->token) { SSL_Error("no token available\n"); return FALSE; } for(i=0;i<nslots;i++) { if (&slots[i] == slot) { nslot = i; } } } printf("Slot manufacturer......: %s\n", slot->manufacturer); printf("Slot description.......: %s\n", slot->description); printf("Slot token label.......: %s\n", slot->token->label); printf("Slot token manufacturer: %s\n", slot->token->manufacturer); printf("Slot token model.......: %s\n", slot->token->model); printf("Slot token serialnr....: %s\n", slot->token->serialnr); /* perform pkcs #11 login */ rc = PKCS11_login(slot, 0, pin); if (rc != 0) { SSL_Error("PKCS11_login failed\n"); return FALSE; } /* get all certs */ rc = PKCS11_enumerate_certs(slot->token, &certs, &ncerts); if (rc) { SSL_Error("PKCS11_enumerate_certs failed\n"); return FALSE; } if (ncerts <= 0) { SSL_Error("no certificates found\n"); return FALSE; } /* use the first cert */ cert=(PKCS11_CERT*)&certs[0]; sprintf(certid,"slot_%d-id_",nslot); for(i=0;i<cert->id_len;i++) { sprintf(certidbuf,"%02x",(unsigned int)(cert->id[i])); strcat(certid,certidbuf); } printf("id:[%s] label:%s [%p]\n",certid,cert->label,cert->x509); x509 = X509_dup(cert->x509); PKCS11_logout(slot); PKCS11_release_all_slots(p11ctx, slots, nslots); PKCS11_CTX_unload(p11ctx); PKCS11_CTX_free(p11ctx); /* setup OpenSSL ENGINE */ if (!(*e = InitEnginePKCS11(p11lib, pin))){ return FALSE; } if(!(key = ENGINE_load_private_key(*e, certid, NULL, NULL))) { SSL_Error(_d("ENGINE_load_private_key failure:\n %s\n"), GetSSLErrorString()); return FALSE; } /* set key and cert to SSL_CTX */ if (key){ if (!SSL_CTX_use_certificate_with_check(ctx, x509)){ SSL_Error(_d("SSL_CTX_use_certificate failure:\n %s"), GetSSLErrorString()); return FALSE; } if (!SSL_CTX_use_PrivateKey(ctx, key)){ SSL_Error(_d("SSL_CTX_use_PrivateKey failure:\n %s"), GetSSLErrorString()); return FALSE; } if (!SSL_CTX_check_private_key(ctx)){ SSL_Error(_d("SSL_CTX_check_private_key failure:\n %s\n"), GetSSLErrorString()); return FALSE; } } memset(pin, 0, sizeof(pinbuf)); return TRUE; }